Vulnerability Details : CVE-2020-14332
A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality.
Products affected by CVE-2020-14332
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-14332
0.19%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 39 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-14332
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST | |
|
5.5
|
MEDIUM | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
Red Hat, Inc. | |
|
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2020-14332
-
The product does not neutralize or incorrectly neutralizes output that is written to logs.Assigned by: secalert@redhat.com (Primary)
-
The product writes sensitive information to a log file.Assigned by: nvd@nist.gov (Secondary)
References for CVE-2020-14332
-
https://github.com/ansible/ansible/pull/71033
copy - redact 'content' from invocation in check mode by s-hertel · Pull Request #71033 · ansible/ansible · GitHubPatch;Third Party Advisory
-
https://www.debian.org/security/2021/dsa-4950
Debian -- Security Information -- DSA-4950-1 ansibleThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14332
1857805 – (CVE-2020-14332) CVE-2020-14332 Ansible: module_args does not censor properly in --check modeIssue Tracking;Vendor Advisory
Jump to